Chapter Sixth user and security management

I. Classification of users and Groups

1) Group classification: User-level groups, which are added by the system administrator after the system is running, to place users who need to share the same file information in a group. System Management Group, users with management system power belong to a group, that is, the System Management Group, the Super system administrator root belongs to the system group, can also define some users to the system group, he has some systems administrative rights, but he is not necessarily the root user. System pre-defined groups, the system is installed later. Groups that exist by default are typically used to complete specific functions.

2) User classification: root user, administrative user and group, normal user and group. For managed users and groups, only the root user can add, delete, and modify them, and users who belong to the security group do not have the right to manage them, so you can establish an administrative user and group to prevent users from being managed by the security group.

The definition of a managed user is implemented in the/etc/security/user file, in which each user has a set of control settings, one of which is admin, which is used to determine if the user is an administrative user and sets its value to True for the managed user.

Second, the configuration file

/etc/motd File: Every time users log on to the system, the display of some notification information, if you do not want users to see this information, you can create a. hushlogin file in the user's home directory, the file must be created by the root user.

User--The user name and user ID are stored in the /etc/passwd file, and the user password is stored in the/etc/security/passwd file;/etc/security/user The user-extended attributes are stored in the file, and the system default users that exist after the system installation are: root, daemon, bin, ADM, Sys, UUCP, guest, nobody, LPD.

Group--The/etc/group file holds the group name and group ID and the properties of some basic groups; The extended properties of the group are stored in the/etc/security/group file. Some system default groups exist after the system installation is: System, staff, bin, security, SYS, ADM, mail, corn, audit, PRINTQ, shutdown, etc.

Create an account--the/etc/lib/security/mkuser.default file holds the default attribute value of the newly created user;/etc/security/login.cfg Store control user Login system and authentication configuration;

User Login-/etc/security/environ to store the user's work environment configuration after entering the system;/etc/security/limits files are used to restrict users from using system resources;/etc/ Security/lastlog records the file that was last logged on to the system.

Third, the password changes the attention matter

If the root user modifies a user's password, or if the security group user modifies a user's password with PWDADM, the value of the flags in the/etc/security/passwd file becomes admchg, He asks the user to change his or her password, or the user will be forced to change the password the next time they log on to the system or switch the user with Su.

When the root user changes the flags value of a user to ADMIN in the/etc/security/passwd file, only the root user can modify the user's password, and the security group user does not have permission to modify the user's password.

If the value of a user's password field in the/etc/passwd file is (*), or the value of the password field in the/etc/passwd file is (! ), and the password attribute in the/etc/security/passwd file is (*), the user's password must be modified by the root user or by the user of the security group with the Pwdadm command.

The restricted attribute of the user's password is stored in the/etc/security/user file and is subject to these restrictions when modifying the user's password. Only the root user can modify any password without being subjected to these restrictions. Then, when a user's Flags property value in the/etc/security/passwd file is set to Nocheck, modifications to that user's password are not constrained by these restrictions.

To display and modify user Password properties:

#smitty Passwdattrs

iv. Clearing the root user password

1) Aix the first installation media to the tape drive or the CD-ROM

2) Press the number key 5 into maintenance mode, appear:

3) Select 3 to enter:

4) Select 1, press ENTER to enter:

5) OK, just select 0, press ENTER, enter:

6) Because ROOTVG contains the boot logical volume HD5, so to boot the system, if a VG contains HD5, it can not boot the system, so in the 5th step, you need to select a VG, press ENTER to see if this VG contains HD5, when choosing a VG, When you press ENTER, you will enter:

7) found this VG has HD5, that this is ROOTVG, into ROOTVG there are two ways: select "1", enter and activate ROOTVG, and install the filesystem on the root volume group, then run a shell and give the shell prompt #; Select "2", You can also enter and activate ROOTVG, unlike "1", run a shell and give a prompt # before installing the filesystem on the ROOTVG. Select "1" here

8) Set the term environment variable (VT100) with export in single-user mode

9) #vi/etc/security/passwd, then delete the value of the password field in the root User section, change to "password=" (Leave the password value blank), save exit

#sync; sync

One) #shutdown-fr

v. Overview of the user login process

1) Init process starts the gettty process on a terminal

2) Call the login program according to the settings of file /etc/security/login.cfg file, display "Login:" Prompt

3) Enter user name, password

4) If the password is incorrect, a failed record is registered in file /etc/security/failedlogin and the user name or password is displayed incorrectly, prompting the user to re-enter.

5) If you enter the correct password, set the user environment according to the content of the file /etc/security/environ,/etc/security/limits,/etc/security/user

6) Check whether the $home/.hushlogin file exists, if it does not exist, display the contents of the/etc/motd file, and then start the initial shell program, if present, do not display the/ETC/MOTD file contents, directly display the initial shell program.

7) finally according to /etc/profile,/etc/enviroment, $HOMT/.profile content Resume user personal environment and show # or $ or% prompt

8) When the user exits the system using exit or logout or ^D, the init process starts a Getty process on the terminal again.

The user login shell executes /etc/profile,/etc/enviroment, $HOMT the/.profile file, establishes all of the user's environment variables, modifies/etc/enviroment or The /etc/profile file will change the environment settings for each user at logon, and if you want to make further settings for a user's environment, you can edit the . profile file in the user's home directory or the . CSHRC file.

VI. Environment Variables

Environment variables are variables that are required by any of the shell's child processes and are defined by the user in $home/.profile. You can also temporarily change environment variables directly on the command line. To make the environment variable effective in the user environment, you need to use the Export command

1) Passing environment variables to the current environment

#PATH =/bin:/etc:/usr/bin

#export PATH

2) Change multiple environment variables at once

#export path=/bin:/etc:/usr/bin Logname=allen home=/usr/$LOGNAME

vii. log files for the system

1)/var/adm/sulog ----> Log every time the SU command is executed. This file can be viewed with PG, more, cat commands

2)/var/adm/wtmp ----> When the user logs in successfully, write a record in the file. /var/adm/wtmp includes all users entering and exiting the system, as well as the duration of the user's time in the system, the user enters the system's terminal or remote host. This file can be viewed with the WHO, last command.

3)/etc/utmp ----> When the user successfully logs into the system, write a record in the file. /etc/utmp only contains user records that enter the system. Generally viewed with the WHO command.

4)/etc/security/failedlogin ----> Log each failure to log on to the system. Viewed with the WHO command.

viii. Command Description

#chuser Attribute=value Attribute=value NAME

The Chuser command is to use the user to modify the value of one or several properties, where name refers to the user name and must be guaranteed before use. attribute refers to the attributes, which are contained in the following file:

/etc/passwd,/etc/security/environ,/etc/sucurity/limits,/etc/security/user,/etc/security/user.roles,/etc/ Security/audit/config,/etc/group,/etc/security/group

Chapter Sixth user and security management